mod_userdir in lighttpd 1.4.18 and earlier, when userdir.path is not set, uses a default of $HOME, which might allow remote attackers to read arbitrary files, as demonstrated by accessing the ~nobody directory.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-03-10T21:00:00

Updated: 2024-08-07T08:17:34.265Z

Reserved: 2008-03-10T00:00:00

Link: CVE-2008-1270

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2008-03-10T21:44:00.000

Modified: 2018-10-11T20:31:26.917

Link: CVE-2008-1270

cve-icon Redhat

No data.